Author: Aaron Pritz– CEO, Principal Consultant, Co-Founder at Reveal Risk Cyber security has seen a “gold rush” of mitigation tools, intelligence engines, and managed service providers. Buzzwords like Artificial Intelligence (AI), Machine Learning (ML), block chain, behavioral analytics, and deceptive technology. While there has been some really outstanding technical innovation coming into to the market, there is also a significant amount of “noise”. This noise shows up as redundant functionality, vaporware (especially when marketing people decide in a vacuum that their tool now has AI, ML, and block chain), and tools that don’t play nice together. While a bit of duplication and overly ambitious marketing is to be expected, it does seem that many corporate information security programs have become “tool heavy” and “implementation light”. Some may choose to blame CISOs and security leaders for unwise investments. However, vendors share responsibility as well. FUD – Fear Uncertainty and Doubt has become an unfortunate sales tactic to make teams and leaders believe that they will eventually perish without their tool or service. Let’s take this problem way back to basics with an analogy to a carpenter: a profession of ancient history, but modern artistic relevance. There is a saying in carpentry – “measure twice, cut once.” This saying stems from the problem carpenters face if they end up cutting their materials without measuring (and remeasuring to avoid error). If they cut first, short of luck, they are bound to have piles of scrap and spend a lot of resources repurchasing materials and redoing work. Now, let me point out what you are likely thinking: woodworking is much more predictable than cybersecurity! In woodworking, you usually have a plan, measurements are pre-defined, and you have a vision of what you want your outcome to be. Ahhh! Doesn’t that sound relaxing! But while I have a friend that would happily quit the day job to be a wood worker, that is not a dream of mine. What can information security and privacy professionals learn from a carpenter? Understand why you are making what you want to makeA wood worker has someone requesting something (like a rocking chair), knows someone needs it, or needs one for themselves. Would they be well served to make a tree swing in a town with no trees? Similarly, an information security leader knows they have risks, but what risks? What are the worst things that could happen to their business in a cyber-attack or insider theft event? Do they specifically know where these areas, assets, processes and people are? Are they focusing on them with more energy than everything else? Otherwise, they may be trying to “boil the ocean.” Security leaders must spend more time understanding the business in which they work, how business processes work (and work together), and what is most critical and deserves the most attention. It is no longer only about protecting certain pieces of information. It is (and really has ALWAYS been about) protecting confidentiality, integrity, and availability of information, assets, products, and business processes across the company. Have an initial vision and design for what you are making. Information security and privacy is about as far away from designing a rocking chair as you can get. (Although, some folks can be a bit “off their rockers” when it comes to rational security architecture.) Defense in Depth is an industry-speak way of saying, “I’ve got a lot of stuff stacked on top of each other and hopefully it closes all the holes.” There is also an unrelated saying that “hope is not a strategy!” We need to think more comprehensively about our security architecture strategies and how tools will symbiotically work together to produced amplified outcomes (not competing priorities and conflict). Architecture, much like creating a compelling design for a rocking chair (especially if plans don’t already exist), takes time. Some carpenters may prefer to start swinging the hammer and karate chopping boards, but they end up with too much scrap material, 3 legged chairs, and bloody thumbs! While speed is usually a good leadership attribute, it must be tempered with well-planned design. I truly believe security architects will be the hero’s and rock stars of at least the next decade. Measure twice, cut once! Measuring for woodworkers is time consuming. Not only do good wood workers measure twice before cutting, they often measure the post-cut piece to make sure the saw landed correctly and that it fits with the adjacent piece it connects with. In information security, many teams are in a constant “fire drill.” They are plagued with trying to move new projects forward whilst responding to seemingly never-ending security events. Security programs are receiving larger budgets than they ever have, but in certain cases, delivering less finished product that before their ship came in. Measurement can sometimes seem like a burden or a waste of resources that would otherwise go towards stopping bad guys. Most programs don’t maintain or advertise a metric for scrap and waste created in haste (maybe they should!) Just as the carpenter spends time measuring before and after each cut, security programs may actually go faster, more effectively, and producing less waste and distraction with time spent measuring before and after controls are enabled. Also similar to the carpenter, measuring how controls fit together (like 2 custom pieces of wood) are critical to yielding the desired outcome of risk reduction. I strongly advocate all security, privacy, and risk leaders invest in tools that enable complex measurements in the simplest ways. Tools like TrustMAPP are everything I was hoping to get out of a GRC, but far more. I use it to simplify evaluation of program and asset level controls, formulate my improvement strategy, measure and track commitments against investment and time, and most importantly, communicate it upwards in simple terms and visual aids. You can drop $2mil and 5 years of a sizable staff on a GRC, or you can use TrustMAPP to pivot your focus back to moving the ball forward. (Disclaimer: I am so passionate about this need that I now serve on the advisory board for TrustMAPP) Additionally, I have become very excited about measuring “value at risk”. Ask yourself: If you were able to quantify the financial impact of a security event or loss across various business areas, processes, and systems, would that be something your company executives could use to finally get serious about information security? Of course! You would be talking their language ($)! These two tools used in tandem (or alone) can dramatically improve your data-driven decision making, executive presence and credibility with senior leaders, and translate information security into business terms. With all that is at risk in cyber security and the complexity of the CISO role, we must invest in ourselves and ramp up our ability to tell a compelling story. Clean up your workshop! The great carpenters that I know are not buried in clutter-ridden workshops. They cannot afford to spend valuable time digging through piles and piles of scrap to find a choice piece of lumber. Similarly, with everything out on the market today, there are “board, screw, and nail dealers” on every corner that would LOVE for you to not be able to find a single thing in your workshop and buy some more from them. We have to do a better job about throwing out what is broken or scrap “material”. It is a distraction. The IT industry has been through a “reduce” and “rationalization” phase for as long as I can remember. However, this mentality isn’t quite as solidified in cyber security (for good and bad reasons), and it takes time to decommission systems. Let’s remember, if we want to have more time to swing the hammer, we can’t afford to let the clutter fester. Nailing it all together Ultimately, taking a step back and thinking about problems from a completely different perspective can help reset your focus and increase your success. A carpenter and his/her team can produce beautiful outcomes that can be admired for years. However, this usually is only sustainable if the careful behind the scenes planning, initial measurement, and quality checks are done. If you only love swinging the hammer, you better put some highly effective, risk and measurement minded experts around you to help enable your success. __________________ Aaron Pritz is the CEO of Reveal Risk and former Eli Lilly IT and security senior IT/Security/Privacy/Risk leader with over 20 years of experience. He co-founded Reveal Risk in 2018 after seeing significant corporate leadership and “strategy to operations” capability gaps in the cyber security and privacy consulting industry. Learn how Reveal Risk can help you reveal your actual company risks, impacts, and controls, before making significant information security and privacy program investments.